Intune Compliance - Check for application running on device

Intune compliance policies can be handy to make sure the devices in your environment have SecureBoot, Anti-Virus, or BitLocker all configured.

What if your organization has application that you need to be running on all devices? I would expect this to be useful for organizations that have 3rd party security applications that run an agent on your devices. My organization, for example, has about 378 (that may be an exaggeration) different agents that are required to be running on Windows devices.

Sure, you can setup required applications to make sure all these agents are installed on all your devices, but then going back and actually verifying that they are running? Yeah, you can do that with Intune and some custom compliance policies!

Let’s take a look at how!

First, you’re going to need a custom PowerShell script, and a custom json file. We’re going to set this up as if we’re checking to ensure that Notepad.exe is running on all our machines. If you want to check for a different application, just replace Notepad.exe with the executable for whatever application your concerned about.

PowerShell script:

$NotepadActive = $False
If( Get-CimInstance -ClassName Win32_Process -Filter "Name='notepad.exe'" ) { $NotepadActive = $True }
$Output = @{ NotepadActive = $NotepadActive }
Return $Output | ConvertTo-Json -Compress

json file:

{
    "Rules": [
        {
            "SettingName": "NotepadActive",
            "Operator": "IsEquals",
            "DataType": "Boolean",
            "Operand": true,
            "MoreInfoUrl": "https://bing.com",
            "RemediationStrings": [
                {
                    "Language": "en_US",
                    "Title": "This machine isn't running Notepad.",
                    "Description": "To continue to use this device you have to install Notepad."
                }
            ]
        }
            ]
}

Once you create those two files, you can setup your new compliance policy.

In Intune go to Home > Devices > Compliance and upload your PowerShell script in the “Scripts” section.

Then go back to Policies and create a new policy, give it a name, click though to the Compliance settings section of the Wizard.

Click to select your previously uploaded PowerShell script and then upload your json file. Click through the rest of the Wizard, and you’ll have a new compliance policy that tests for your specific application running on your devices.